1USBGUARD(1)                                                        USBGUARD(1)
2
3
4

NAME

6       usbguard - USBGuard command-line interface
7

SYNOPSIS

9       usbguard OPTIONS command [COMMAND-OPTIONS] ...
10
11       usbguard list-devices
12
13       usbguard allow-device id
14
15       usbguard block-device id
16
17       usbguard reject-device id
18
19       usbguard list-rules
20
21       usbguard append-rule rule
22
23       usbguard remove-rule id
24
25       usbguard generate-policy
26
27       usbguard watch
28
29       usbguard read-descriptor file
30
31       usbguard add-user name
32
33       usbguard remove-user name
34

DESCRIPTION

36       The usbguard command provides a command-line interface (CLI) to a
37       running usbguard-daemon(8) instance. It also provides a tool for
38       generating initial USBGuard policies based on USB devices connected to
39       the system.
40

SUBCOMMANDS

42   list-devices
43       List all USB devices recognized by the USBGuard daemon.
44
45       Available options:
46
47       -a, --allowed
48           List allowed devices.
49
50       -b, --blocked
51           List blocked devices.
52
53       -h, --help
54           Show help.
55
56   allow-device [OPTIONS] id
57       Authorize a device identified by the device id to interact with the
58       system.
59
60       Available options:
61
62       -p, --permanent
63           Make the decision permanent. A device specific allow rule will be
64           appended to the current policy.
65
66       -h, --help
67           Show help.
68
69   block-device [OPTIONS] id
70       Deauthorize a device identified by the device id.
71
72       Available options:
73
74       -p, --permanent
75           Make the decision permanent. A device specific block rule will be
76           appended to the current policy.
77
78       -h, --help
79           Show help.
80
81   reject-device [OPTIONS] id
82       Deauthorize and remove a device identified by the device id.
83
84       Available options:
85
86       -p, --permanent
87           Make the decision permanent. A device specific reject rule will be
88           appended to the current policy.
89
90       -h, --help
91           Show help.
92
93   list-rules [OPTIONS]
94       List the rule set (policy) used by the USBGuard daemon.
95
96       Available options:
97
98       -d, --show-devices
99           Show all devices which are affected by the specific rule.
100
101       -h, --help
102           Show help.
103
104   append-rule [OPTIONS] rule
105       Append the rule to the current rule set.
106
107       Available options:
108
109       -a, --after id
110           Append the new rule after a rule with the specified rule id.
111
112       -h, --help
113           Show help.
114
115   remove-rule [OPTIONS] id
116       Remove a rule identified by the rule id from the rule set.
117
118       Available options:
119
120       -h, --help
121           Show help.
122
123   generate-policy [OPTIONS]
124       Generate a rule set (policy) which authorizes the currently connected
125       USB devices.
126
127       Available options:
128
129       -p, --with-ports
130           Generate port specific rules for all devices. By default, port
131           specific rules are generated only for devices which do not export
132           an iSerial value.
133
134       -P, --no-ports-sn
135           Don’t generate port specific rules for devices without an iSerial
136           value. Without this option, the tool will add a via-port attribute
137           to any device that doesn’t provide a serial number. This is a
138           security measure to limit devices that cannot be uniquely
139           identified to connect only via a specific port. This makes it
140           harder to bypass the policy since the real device will occupy the
141           allowed USB port most of the time.
142
143       -t, --target target
144           Generate an explicit "catch all" rule with the specified target.
145           The target can be one of the following values: allow, block, reject
146
147       -X, --no-hashes
148           Don’t generate a hash attribute for each device.
149
150       -H, --hash-only
151           Generate a hash-only policy.
152
153       -h, --help
154           Show help.
155
156   watch [OPTIONS]
157       Watch the IPC interface events and print them to stdout.
158
159       Available options:
160
161       -w, --wait
162           Wait for IPC connection to become available.
163
164       -o, --once
165           Wait only when starting, if needed. Exit when the connection is
166           lost.
167
168       -e, --exec path
169           Run an executable file located at path for every event. Pass event
170           data to the process via environment variables.
171
172       -h, --help
173           Show help.
174
175   read-descriptor [OPTIONS] file
176       Read a USB descriptor from a file and print it in human-readable form.
177
178       Available options:
179
180       -h, --help
181           Show help.
182
183   add-user name [OPTIONS]
184       Create an IPC access control file allowing the user/group identified by
185       name to use the USBGuard IPC bus. The change takes effect only after
186       restarting the usbguard-daemon(8) instance.
187
188       Available options:
189
190       -u, --user
191           The specified name represents a username or UID (default).
192
193       -g, --group
194           The specified name represents a groupname or GID.
195
196       -p, --policy privileges
197           Policy related privileges.
198
199       -d, --devices privileges
200           Device related privileges.
201
202       -e, --exceptions privileges
203           Exceptions related privileges.
204
205       -P, --parameters privileges
206           Run-time parameter related privileges.
207
208       -h, --help
209           Show help.
210
211       Privileges:
212
213       The privileges are expected to be in the form of a list separated by a
214       colon:
215
216               $ sudo usbguard add-user joe --devices=listen,modify
217
218       Consult the usbguard-daemon.conf(5) man-page for a detailed list of
219       available privileges in each section.
220
221   remove-user name [OPTIONS]
222       Remove an IPC access control file associated with the user/group
223       identified by name. The change takes effect only after restarting the
224       usbguard-daemon(8) instance.
225
226       Available options:
227
228       -u, --user
229           The specified name represents a username or UID (default).
230
231       -g, --group
232           The specified name represents a groupname or GID.
233
234       -h, --help
235           Show help.
236

EXAMPLES

238       Generating an initial policy:
239
240               $ sudo usbguard generate-policy > rules.conf
241               $ vi rules.conf
242               (review/modify the rule set)
243               $ sudo install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf
244               $ sudo systemctl restart usbguard
245

SEE ALSO

247       usbguard-daemon(8), usbguard-daemon.conf(5), usbguard-rules.conf(5)
248
249       Unresolved directive in usbguard.1.adoc - include::footer.adoc[]
250
251
252
253                                  2019-07-27                       USBGUARD(1)
Impressum